RB440 Properties Ltd v The Proprietors, Strata Plan No 22 - Judgment

¶ ```html <table> <tr> <td>IN THE GRAND COURT OF THE CAYMAN ISLANDS</td> </tr> <tr> <td>CIVIL DIVISION</td> </tr> <tr> <td>CAUSE NO. G 201 of 2019</td> </tr> <tr> <td>BETWEEN:</td> <td>RB440 PROPERTIES LTD</td> <td>Plaintiff</td> </tr> <tr> <td>AND:</td> <td>THE PROPRIETORS, STRATA PLAN NO. 22</td> <td>Defendant</td> </tr> <tr> <td>Appearances:</td> <td>Mr. Guy Dilliway-Parry of Priestleys for the Plaintiff</td> </tr> <tr> <td>Mr. Peter McMaster QC and Ms. Mehreen Siddiqui of Appleby for the</td> </tr> <tr> <td>Defendant</td> </tr> <tr> <td>Before:</td> <td>Hon. Justice Richard Williams</td> </tr> <tr> <td>Heard:</td> <td>13 July 2021</td> </tr> <tr> <td>Draft Judgment</td> </tr> <tr> <td>circulated:</td> <td>22 November 2021</td> </tr> <tr> <td>Date of Judgment:</td> <td>25 November 2021</td> </tr> </table> <div class="image"> <img src="https://example.com/logo.png" alt="Grand Court of Cayman Islands Logo"> </div> <h2>HEADNOTE</h2> <p>Strata property - Application of the Data Protection Act (2021 Revision) to requests for documents made by a proprietor under registered by-laws</p> <h2>JUDGMENT</h2> <h3>Parties and the Claim</h3> <p>The Plaintiff is the registered owner of Villa Number 28 at Strata Plan 22 ("the Strata Plan"), a Villa on Mile Road 22 ("the Strata Plan"), and he has filed an affidavit sworn on 23 October 2020 and another sworn on 11 December 2020.</p> <p>Michael is the Director of the Cayman Islands Company for Mr. Beachcomber.</p> <p>211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment</p>

¶ [2] The Defendant is the Strata Corporation ("the Corporation"). The Corporation was formed pursuant to s.5(1) of the Strata Titles Registration Act ("STRA") and each registered proprietor of a strata lot is a member of the Corporation. Section 21(7) of the STRA provides: “(7) Bye-laws for the time being in force shall bind every corporation and the proprietors to the same extent as if such bye-laws had respectively been signed and sealed by such corporation and each proprietor and contained covenants on the part of such corporation with each proprietor and on the part of each proprietor with every other proprietor and with such corporation to observe and perform all the bye-laws.”

¶ [3] The Corporation is managed by an Executive Committee (“the Committee”). Ms. Elizabeth Boland is the Chairwoman of the Committee and she has filed an affidavit sworn on 27 November 2020.

¶ [4] Before this Court is the Plaintiff’s Originating Summons dated 27 November 2019. Therein the Plaintiff claims the following relief: (i) A declaration that: a. The Plaintiff, as the registered proprietors of Villa Number 28 at Beachcomber, is entitled under Proprietors Strata Plan No. 22 (The Beachcomber) By-Laws (“the By-Laws”) By-Law 48(b) to inspect or have inspected any book or account or documents whatsoever held by or on behalf of the Corporation. b. The Plaintiff is entitled to receive a written notice in accordance with By-Law 48(b);
```html <table> <tr> <td>c. The Defendant has breached By-Law 48(b) by refusing and/or failing within</td> </tr> <tr> <td>a reasonable time to grant the Plaintiffs request made under By-Law 48(b):</td> </tr> <tr> <td>(i) An injunction requiring the Defendant to forthwith grant the Plaintiff</td> </tr> <tr> <td>access to inspect or have inspected any book or account or</td> </tr> <tr> <td>documents whatsoever held by or on behalf of the Committee</td> </tr> <tr> <td>including but not limited to:</td> </tr> <tr> <td>a) Any data held on V12 accounting software relating directly or</td> </tr> <tr> <td>indirectly to the Corporation and/or the Committee;</td> </tr> <tr> <td>b) Books of accounts in respect of all moneys received and spent by</td> </tr> <tr> <td>the Committee;</td> </tr> <tr> <td>c) Accounts relating to all moneys of the Corporation, and the</td> </tr> <tr> <td>income and expenditure thereof.</td> </tr> </table>

¶ [5] The Defendant, on the other hand, submits that the proceedings concern the application of the Cayman Islands Data Protection Act (2021 Revision) (the “DPA”)1 to requests for documents under the registered By-Laws of the Strata Plan. They highlight that the DPA, which came into force in September 2019 (after the By-Laws were adopted), places legal constraints on the disclosure of certain types of information and: <blockquote> <p>“requires any request for the disclosure of personal data to be assessed by reference to a number of separate principles.”</p> </blockquote> <sup>1</sup> At the relevant time the DPA 2017 was the governing legislation and any changes in the DPA 2021 are not of importance in this matter. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 3 of 51 ```
```markdown # Judgment The Defendant invites the Court to dismiss the claim, because it believes it has already offered to provide the Plaintiff with all the information that a Court would order to be provided, with one proviso. That proviso is that the Plaintiff enter into an agreement regarding the provided data which the Defendant feels would ensure that the Committee was complying with requirements of the DPA when it was providing the same and that the Plaintiff and any third parties would similarly then also comply with DPA obligations in relation to the data. The Plaintiff is not content with the proposal and has rejected it, arguing that it is wrongly grounded on a contention that, when accessing the data, it would be processing data on behalf of the Committee. ## Background Due to the issues raised, cross-proposals made and various positions taken at different times by the parties in this matter, it is necessary to explore the background in greater detail than one might ordinarily wish. The Plaintiff's abou of the renta about the operation of the pool at the Annual Ctin of the 2019 StraGen and reco on ber, the raised priluring the AGM")romery saida the boordsg ("the Corporation to enable the Plaintiff to determine whether the Corporation was being run ```
```markdown efficiently and to be able to hold the Committee to account if it was failing to do that. He said that, at the AGM, the Treasurer had stated that access to the rental pool data would be provided to him. This was not forthcoming and he was informed that the Treasurer when speaking to him had been referring to aggregate data and not to raw data.

¶ [10] On 4 November 2019, Mr. Montgomery wrote to the Committee and requested, referring to the By-Laws, access to the books of account<sup>2</sup> and the V12 system. He stated that the data needed was: (i) the gross rental revenue; (ii) the management fee deducted; (iii) either days rented or check-in date and checkout date; and (iv) either unit number or number of bedrooms in the unit, whether it’s an interior or exterior unit and whether it’s a ground floor penthouse. He expressed a view that the proprietors could collectively be making more money from the rental pool. It was evident, putting it in context with the then recent exchanges during the AGM, that he was stating that he was seeking the data to enable him to explore whether improvements could be made to the way the rental pool was being operated.

¶ [11] Richard Becherer, the then Chairman of the Committee, responded stating that he was sensitive about data being provided on specific units because of privacy issues. He stated that the Committee may be forced to talk about how to schedule a matter for the Committee to see and as well as getting the matter to the Board in the way forward. The Committee is not in a position to provide the data outstanding for the matter. <sup>2</sup> Books of account are defined in By-Law 31(b) to include “occupancy statistics for each Strata Lot”. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 5 of 51 ```
```html <table> <tr> <td>advice from a lawyer concerning the privacy issues. In the circumstances, this appears to have been an understandable initial response.</td> </tr> <tr> <td>12.</td> <td>However, shortly after the Chairman’s reply, on 8 November 2019 the Plaintiff’s attorneys wrote to the Secretary of the Committee. The attorneys cited By-Law 48 and stated that the Plaintiff had an:</td> </tr> <tr> <td>“unfettered right to inspect any accounting records it wishes relating to Beachcomber.”</td> </tr> <tr> <td>They added:</td> </tr> <tr> <td>“Please therefore accept this letter as notice in writing of our client’s request for access to all of Beachcomber’s accounting records. We should be grateful for a response on or before the close of business on Tuesday 12th November, failing which we will assume that access has been denied. In such circumstances, our advice to our client will be to seek an injunction from the Cayman Islands Grand Court ordering Beachcomber to comply with its bye-laws and to providing access requested.”</td> </tr> <tr> <td>13.</td> <td>On 13 November 2019 Mr. Montgomery wrote to Mr. Becherer. He referred to the “Notice” from his attorney dated 8 November 2019 and requested that Mr. Becherer (on behalf of the Committee) give an undertaking to provide him with access to the raw account data held on the V12 software. He indicated that if the undertaking was not forthcoming by 4:00 p.m. on the following day, 14 November 2019, that he would alert all other in relation to the By-Laws and that the matter would be taken to court.</td> </tr> </table> ```
The Committee consulted with its attorneys. The Committee’s attorneys wrote a reply to the Plaintiff’s attorneys on 18 November 2019. They stated that they did not agree with the Plaintiff’s assertion that the Plaintiff had unfettered rights to inspect any accounting records it wishes. They expressed a view that the implementation of the DPA meant that the Committee: “could not simply hand over records that contain personal information without the fully informed consent of the data subjects.” They added that the broad information sought by the Plaintiff contains personal information relating to the proprietors and is subject to a duty of confidentiality as it is sensitive, valuable and only available to a limited pool of people. To enable fully informed consent of the proprietors to be sought the Committee’s attorneys requested details about: (i) the purpose for which the information was sought; (ii) the manner in which the information would be maintained by the Plaintiff, including security measures to prevent unauthorised access from third parties; (iii) whether or not the Plaintiff intended to provide the information to third parties and, if so, who and what measures they have in place to protect the confidentiality of that information; and (iv) whether the Plaintiff consents to disclosure of its ultimate beneficial owners to the other proprietors in the event that individual members wish to explore other opportunities tch personal information. They said that they sought this information, as it covered basic uninformaticerepositions under the DPA”, was required to move the request forward. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 7 of 51

¶ [15] The Plaintiff's attorney replied on 19 November 2019 and, after citing s.25 and Schedule 2, Parts 2, 3, 6 of the DPA, disagreed with the Defendant's assertion that records containing personal information required fully informed consent of the data subjects. They invited the Defendant to provide, by 1:00 p.m. on that day, a number of undertakings and indicated that if they were not forthcoming, then proceedings would be issued to enforce rights under STRA. The undertakings sought were: (i) an undertaking not to destroy or alter any of the data held by or on behalf of the Committee in or relating to any book or account or documents whatsoever relating to the Corporation; (ii) an undertaking to provide the Plaintiff with unfettered access forthwith to inspect or have inspected any book or account or documents whatsoever held by or on behalf of the Committee, including but not limited to: (a) any data held on V12 accounting software relating directly or indirectly to the Corporation and/or the Committee; (b) books of accounts in respect of all monies received and spent by the Committee; and (c) accounts relating to all monies of the Corporation, and the income and expenditure thereof.

¶ [16] On 21 November 2019, the Defendant's attorneys replied to the Plaintiff's attorney indicating that the DPA did not detract from the need for the informed consent of the data subjects pursuant to s.25(1) DPA. They stated that the Defendant did not have the authority to enforce the undertakings sought, as the undertakings sought were only pursuant to the laws of the Cayman Islands and not orders of a court. They disagreed that
```markdown s.25(2)(a) DPA applied in this case, simply because the Plaintiff wished to bring proceedings. They argued that s.25(2)(b) DPA related to legal advice being sought by those who hold the data and not for the Plaintiff to seek advice from its attorney. They further contended that s.25(2)(c) DPA was not applicable to the situation where the Plaintiff was seeking the provision of the data to enable him to bring proceedings to establish his rights under the By-Laws.

¶ [17] In the letter the Defendant's attorneys also highlighted that the legal bases for processing personal data are set out in Schedule 2 of the DPA and that at least one of these conditions must apply whenever personal data is processed. They argued that Part 2 only applied if the processing of the personal data is necessary for the performance of a contract, or in preparation for entering into a contract, and that the manner in which the Plaintiff sought the processing of the data was not necessary for the performance of the By-Laws. They contended that Part 3 only applied if the data was needed to comply with a common law statutory obligation and that it does not apply to contractual obligations. They further contended that Part 6 only applied if the processing of the data was in ways that would have reasonably been expected, which would have minimal impact on privacy of those data subjects, and where there is a legitimate business interest in making the disclosure. They stated that this three-part test had not been met on the information before them. The Defendant again offered to seek the informed consent from the proprietors that to enable it to do so, it needed the responses from the Plaintiff in the 18 November 2019 letter.

¶ [18] The Plaintiff's attorneys replied on 22 November 2019, repeating the request for the aforementioned access undertakings. They elaborated on the "unfettered" access sought to: "inspect or have inspected any book or account or documents whatsoever held by or on the behalf of the (Committee)." They said that the access sought was to include but was not limited to: (a) any data held on V12 accounting software relating directly or indirectly to the Corporation and/or the Committee; (b) books of accounts in respect of all monies received and spent by the Committee; and (c) accounts relating to all moneys of the Corporation, and the income and expenditure thereof. The attorney said that the above access was sought to extract specified data for each unit for the period of the last two years and it was: a) the gross rental revenue of each rental of the unit (raw data, not a summary); b) the management fee deducted from each rental of that unit; c) the check-in date and checkout date for each rental of that unit; d) a description of the unit in question by reference to the number of bedrooms and location within the development; and e) the unit was unavailable for a unit available but sought to make it appear otherwise.
any of those parties or the owners. The Plaintiff also said that, if there was objection to the Plaintiff having direct access to the same, it would be willing to instruct an accountant to extract the relevant data from the V12 software.

¶ [19] The Plaintiff indicated in the letter that the specific data sought did not fall within the definition of personal data set out at section 2 of the DPA as it is not "data relating to a living individual who can be identified". They added that the proprietors of each of the units at The Beachcomber had expressly given their consent to the processing of data in accordance with the By-Laws by agreeing to be bound by these By-Laws. Therefore, even if the data was personal data, the condition at Schedule 2, paragraph 1 of the DPA was satisfied. In addition, they contended that the provisions of By-Law 48 render it necessary to process the data requested by the Plaintiff in order to comply with the terms of the contract that has been expressly entered into and in any event is deemed to have been entered into pursuant to section 21(7) of the Strata Titled Registration Law (2013 Revision). It was contended that provision By-Law 48 is an express contractual right to data and is an example of a contractual right, falling within Schedule 2, paragraph 2 of the DPA.

¶ [20] The Defendant replied on 25 November 2019, rightly stating that any information that contains sufficient identifiers to enable the recipient to identify an individual qualifies as personal data. The Defendant added that the data had been maintained in a way that any individual unit owner could be identified. The Defendant was willing to hand over the information to any third party without the informed consent of the data owner. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 11 of 51
```html <table> <tr> <td>subjects. It had been pointed out by the Plaintiff that anybody could identify the</td> </tr> <tr> <td>individual unit owners by simply searching at the Cayman Islands Land Registry and</td> </tr> <tr> <td>therefore the Plaintiff did not see an issue with identification of individual unit owners.</td> </tr> <tr> <td>However, the concern of the Defendant was understandably not necessarily who owns the</td> </tr> <tr> <td>unit per se, but the private information about that owner which would be contained in the</td> </tr> <tr> <td>data being sought by the Plaintiff. In the letter the Defendant rightly highlighted that the</td> </tr> <tr> <td>By-Laws did not provide consent to the sharing of personal data and did not override the</td> </tr> <tr> <td>provisions of the DPA, noting that they were drawn up, and proprietors agreed to be</td> </tr> <tr> <td>bound by them, prior to the DPA coming into force. The Defendant offered to investigate</td> </tr> <tr> <td>whether aggregate data could be put together to illustrate trends in occupancy by</td> </tr> <tr> <td>occupant type, time of year, and so on without revealing more specific information.</td> </tr> </table>

¶ [21] The Committee felt unable to fulfil the request for access to information in accordance with the By-Laws because they believed that to do so would potentially be a breach of the DPA, thereby exposing its members to criminal liability and the Strata to potential fines. The Committee considered that, to enable it to comply with the request, it should obtain the consent of the proprietor data subjects3. Therefore, on 26 November 2019, the Committee’s attorneys sent out a letter/circular with a link to an online survey to each of the proprietors setting out some of the background of the matter. In the letter it stated that the Committee had received a request from a proprietor to: <points x1="200" y1="1235" alt="The Committee had received a request from a proprietor to:">The Committee had received a request from a proprietor to:</points> <points x1="200" y1="1265" alt="inspouts 'of ingain 'access">inspouts 'of ingain 'access</points> <points x1="200" y1="1295" alt="occu' and that its">occu' and that its</points> <points x1="200" y1="1325" alt="ect the ace strata arevenue and">ect the ace strata arevenue and</points> <points x1="200" y1="1355" alt="p ancy data's "curren">p ancy data's "curren</points> <points x1="200" y1="1385" alt="Section 2 of the DPA defines data subject as meaning -">Section 2 of the DPA defines data subject as meaning -</points> <points x1="200" y1="1415" alt="individua who can be identified directly or indirectly by means reasonably likely to be used by the data">individua who can be identified directly or indirectly by means reasonably likely to be used by the data</points> <points x1="200" y1="1445" alt="controller or by any other person".">controller or by any other person".</points> <points x1="200" y1="1475" alt="211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment">211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment</points> ```
The request is to allow that proprietor to understand and analyse the revenue and occupancy data from the rental pool. The attorneys expressed a view in the letter that the Committee was concerned that the information requested may: - "expressly include proprietor’s personal data (including names, rental income and others sensitive data) or contain sufficient identifiers (such as apartment descriptions, location, number of rooms etc) to allow such personal data to be deduced". A view was also expressed in the communication that, although the By-Laws contain a broad provision allowing proprietors to inspect books and records, any inspection was subject to the provisions of the DPA. The letter requested answers from all proprietors to the following questions: (i) whether the proprietor would in no circumstances wish any information relating to the rental of the property be shared with other proprietors; (ii) whether there may be circumstances in which the proprietor may agree for some information relating to the rental of the property be shared with other proprietors; or (iii) whether the proprietor has no objection to any information being shared, at the sole discretion of the Committee. On 28 N19, Mr. Moe to all of the proprietors for the survey conducted and provided a detailed report on the reasons for the request. He set out in quite some detail what his concerns were, in particular about the communication video about the plaintiff's request. --- **211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment** Page 13 of 51
```markdown rental rates. He added that access to inspect the rental data records was the right of any proprietor under the By-Laws and that it was needed so that the proprietors: *can make informed decisions about our properties.* He informed the proprietors that he was: *not seeking any personal ownership data, addresses, phone numbers, renter names, etc. that are needed to be maintained by the Strata for operational purposes*.

¶ [23] On 30 November 2019 Mr. Becherer wrote to all of the proprietors commenting that they had likely received an email from Mr. Montgomery explaining *“the reason for his request”*. Arguably, Mr Becherer, recognised that Mr. Montgomery had informed them of the purpose of his request. Mr. Becherer sent the email to enable the owners to hear from the Committee regarding its perspective on what had transpired and about why it had taken the actions it had taken to that date. In the letter, he set out some of the background regarding the involvement of Luxury Cayman Villas (and the suggestion that they take over the running of the rental program) and Mr. Montgomery’s request to download and have the rental and revenue data on each of the units in the rental pool analysed. In the email, he also set out verbatim the detail of the data that the Plaintiff was seeking to have downloaded and analysed away from The Beachcomber office which had been detailed in the Plaintiff’s attorneys’ letter dated 22 November 2019<sup>4</sup>. Mr. Becherer explained that the Committee felt unable to release the data requested due to the provisions of the DP did not make improvements”. <sup>4</sup> See paragraph 18 above.

¶ [24] The Plaintiff criticises the content of the letter accompanying the survey because it failed to inform the proprietors of their rights, as it did not set out the actual terms of the By-Laws in relation to each proprietor's to access information held by the Committee. This criticism was also raised by Bodden & Bodden attorneys who wrote to the Defendant's attorney on 2 December 2019 on behalf of another proprietor. In that communication, they also expressed a view that the By-Laws give a right to all proprietors to inspect documents held by the Committee. The attorneys invited that a further question be added to the survey allowing proprietors to instruct the Committee to stop incurred legal costs and to disclose the data sought. The Defendant's attorneys replied on 2 December 2019 stating: ``` "The ExCo is concerned that if this confidential personal data is provided in an unfettered form, then it will be impossible for the ExCo to police whether (the Plaintiff) will maintain the confidentiality in this data, as we are instructed that he has indicated an intention to share the data with brokers doing business with other units. However, if your client is prepared to consent to the unfettered disclosure of his personal data in this manner then the ExCo is willing to provide this, subject to agreement being reached on the reasonable costs of doing so and restrictions on the wider dissemination of data, or of course your client can provide it directly to Mr Montgomery - but considers that, absence a court order, it must obtain the individual consent of each owner before sharing of personal data." ``` Bodden & Bodden replied stating that their client had no objection to the disclosure of the information sought by the survey in relation to its unit. On 5 December 2019, the Defendant's attorneys also informed Bodden that as at that time:
(i) the owners of 21 units had replied in the survey that there were no circumstances in which they would wish their personal data/such information to be shared with other proprietors; (ii) the owner of one unit had said it did not wish any information to be shared with other proprietors at that time under the circumstances; and (iii) the owners of six units had indicated that they had no objection to any of the data being shared at the sole discretion of the Committee. At the hearing before me, the Defendant stated that the survey results show that the majority of the proprietors did not give consent for their personal data to be released to the Plaintiff.

¶ [26] Although the Plaintiff takes issue with the nature of the information provided to the proprietors and the questions asked in the survey, what is evident is that consent of the majority of the proprietors who completed the survey was not forthcoming. Mr. Becherer in his email to the proprietors dated 30 November 2019<sup>5</sup> stated when referring to his email and to the one sent by Mr. Montgomery to the proprietors on 28 November 2019<sup>6</sup> that: ``` "Hopefully after examining both emails, you will be more able to understand the situation and provide a more informed request to the survey that Appleby sent to you. If you have already responded, we are sure you could contact them and revise your response if you deem it necessary." ``` That is a fair assertion to make, and I am satisfied that the owners were, with all the information made available to them by , all the survey id manner. bot to complete the ling informavailable <sup>5</sup> See paragraph 23 above. <sup>6</sup> See paragraph 22 above. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 16 of 51

¶ [27] The Originating Summons dated 27 November 2019 was issued on 28 November 2019 and in it the Plaintiff seeks wide access on reasonable notice in writing. It seeks the inspection of any book or account or documents "whatsoever" held by or on behalf of the Committee. The Summons was served on the Defendant on 2 December 2019.

¶ [28] On 20 December 2019, Mr. Montgomery sent an email to Mr. Becherer following what appeared to be a constructive meeting between the parties on 18 December 2019, resulting in a "suspension" of the legal proceedings. In that email he made it clear that he had no intention of sharing the data with Luxury Cayman Villas and that, as already stated in his email of 4 November 2019, the extracted data would: "be held in confidence for the benefit of all Beachcomber owners."

¶ [29] In the email, Mr. Montgomery mentioned the sensible approach and agreement to create a sub-committee of the Committee (the Rates and Occupancy Committee) with a Mr. Gandler ("an independent third party proprietor") reviewing the rental pool data held by the Committee on the terms of the agreement set out in a non-disclosure agreement. It was felt that this approach would enable the Committee to comply with the requirements of the DPA. The proposal would have enabled information to be obtained in a way that did not reveal the specific unit number or owner's names. The report would be made available to members of the sub-committee, and Mr. Montgomery would be a member of that sub-committee. The sub-committee could then make recommendations to benefit the DPA the C afted a Nre Acerns. Tobli proprietole and to ad The text continues with a note: 7 Paragraph 31 of the Affidavit of Elizabeth Boland sworn on 27 November 2020. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 17 of 51 ```
``` The NDA contained only four conditions/requirements.

¶ [30] Unfortunately, the parties let the matter drift and a report was not prepared, apparently as a consequence of the COVID pandemic and due to a personal tragedy affecting Mr. Gandler. It is disappointing that the parties failed to even try to find an alternative person to carry out the task when it became evident that Mr. Gandler was unable to fulfill that role. If the sub-committee approach had progressed, the considerable legal costs now expended on this matter would likely have been saved.

¶ [31] On 7 November 2020, the Corporation held its Annual General Meeting. Mr. Montgomery was afforded the opportunity to address the meeting in relation to the Plaintiff’s access to the information sought. However, the Defendant says that Mr. Montgomery refused to inform the meeting about what he intended to do with the data he obtained. Mr. Montgomery said that he felt “bullied and harassed” at the meeting because the Committee introduced three attorneys at the meeting and that he felt “uncomfortable” when he was being expected to explain, in the absence of his attorney, what the legal basis was for his requests and what the reasons were behind the request. 8 The copy of the NDA at Tab 9 of the Core Bundle is only signed by Mr. Gandler and does not contain the signature of Mr. Becherer, the then Chairman of the Committee. ``` **211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment** Page 18 of 51

¶ [32] On 9 December 2020, the Defendant's attorneys wrote to the Plaintiff, suggesting two possible ways forward. The first was to provide aggregated information that would not amount to personal data and the second was that the Plaintiff provide: “full details of his request and his intended purpose for assessing the requested data so that our client can assess (i) whether there is a legal basis to process the data for that purpose in accordance with the DPL and (ii) what additional protections need to be put in place to comply with the remaining data protection principles”. The attorneys reiterated the need to receive the information requested in their letter of 18 and 21 November 2019 as they felt that this information had not been forthcoming from the Plaintiff.

¶ [33] At an Extraordinary General Meeting (“EGM”) held on 16 January 2021, there were further discussions about the Plaintiff's demands for the data. All of the proprietors in attendance favourably discussed the possibility of proprietors wishing to obtain access to the specified categories of documents or information entering into a NDA as a means of resolving the dispute. No mention seems to have been made about a Data Processing Agreement at the EGM. The Defendant's attorney indicated in a letter of 8 March 2021 that a mechanism for resolving the dispute had been identified at the EGM. The impression given from the EGM transcript is that the Plaintiff's position at the EGM was to reiterate that any NDA did not change the binding effect of the By-Laws, but that he would draft an NDA with the Committee. The case for an Agreement was not set down for hearing on 18 January 2021. ```
```html <table> <tr> <td>34.</td> <td>On 24 February 2021, the Plaintiffs attorneys wrote a detailed open letter to the</td> </tr> <tr> <td>Defendants attorneys setting out and arguing the legal basis of its claim and countering</td> </tr> <tr> <td>the position taken by the Defendant. In the letter, the Plaintiff again stated the reason for</td> </tr> <tr> <td>the request, when writing:</td> </tr> <tr> <td>“The provision of this data to client would be in furtherance of the purpose for</td> </tr> <tr> <td>which the data was obtained by the Ex-Co i.e. to ensure the efficient running of</td> </tr> <tr> <td>the Beachcomber and the rental pool to be mutual benefit of all proprietors</td> </tr> <tr> <td>(second data principle).”</td> </tr> <tr> <td>I note that in that letter the Plaintiff stated that the requested data was unlikely to amount</td> </tr> <tr> <td>to “personal data” as defined in the DPA, but importantly he conceded:</td> </tr> <tr> <td>“... given the breadth of the right of access to information provided under the By-</td> </tr> <tr> <td>Laws we agree that the provisions of the DPA are likely to be engaged in the</td> </tr> <tr> <td>wider context of requests by proprietors to access information held by the Ex-</td> </tr> <tr> <td>Co.”</td> </tr> <tr> <td>The Plaintiff then explained the legal basis upon which the Committee would be</td> </tr> <tr> <td>compliant with DPA if it fulfilled its request for access to the mentioned data.</td> </tr> <tr> <td>35.</td> <td>On 8 March 2021, the Defendant’s attorney sent a detailed open reply to the Plaintiffs</td> </tr> <tr> <td>open letter, in which they invited the Defendant to discontinue the action on the basis that</td> </tr> <tr> <td>the Plaintiff do pay the Defendant’s costs on the standard basis and if the parties were not</td> </tr> <tr> <td>able to agree the costs, “the Court will have to decide the incidence of costs”. The</td> </tr> <tr> <td>Defendant a similar the</td> </tr> <tr> <td>carried o exercise</td> </tr> <tr> <td>Plaintiffs submissions were incorrect. Reference was made to the EGM at which the</td> </tr> <tr> <td>Defendant claimed that an acceptable proposal for all, apparently including the Plaintiff,</td> </tr> </table> ```
had been identified. With that in mind, the letter highlighted that the Committee had adopted an attached Privacy Notice and an attached form of Data Processing Agreement. The purpose of the Notice was to enable the Committee to process personal data to the Plaintiff "for processing". The Committee proposed, by reference to the Notice, to release the categories of data identified in the Plaintiff's letter 22 February 2021 on condition that the Plaintiff enter into the Data Processing Agreement. The stated purpose of that agreement being to comply with the requirements of Schedule 1, Part 2 of the DPA. The attorney wrote that the proposal: ``` allows your client access to the information that he has sought for the purposes of analysing and using with a view to the Strata Corporation to effectively manage the rental pool. The basis under the Act for the proposal in this letter is the consent of the proprietors to processing under controlled conditions that reflect the requirements of the Act, in particular, the explicit requirement of a processing agreement. This is a solution that has been created by the members of the Strata Corporation and Exco in good faith in order to facilitate access by your client to material that he was not entitled to at the time of his original demands. ``` The Defendant then reiterated its view that: ``` Your client is not entitled to the relief that it seeks in the Originating Summons at the outset and is not entitled to the more limited date set subsequently requested except under the auspices of the consent and processing agreement proposed...

¶ [36] It became apparent that the hearing on 16 March 2021 would require more than the half-day that had been allotted. The Listing Office agreed to extend the date to 11 May 2021, with a full day allocated and, on 21 March 2021, the hearing was held. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 21 of 51

¶ [37] In a letter dated 6 April 2021, the Plaintiff's attorneys addressed the content of the Defendant's letter dated 8 March 2021. The Plaintiff disagreed that the discussions at the EGM in January 2021 resulted in approval by all proprietors of a course suggested now by the Committee, namely in adopting a data protection policy ("the Privacy Notice"). The Plaintiff stated that there had been no discussion of a Data Processing Agreement at the EGM and there was no agreement as to a final resolution of the matters in dispute. He indicated that the discussion had at the EGM was about trying to reach a suitably worded NDA, a course which he said a number of owners were supportive of. This seems consistent with the content of the transcript of the EGM. The Plaintiff stated that it did not agree with the solution being put forward by the Defendant that it should become a data processor on behalf of the Committee and refused to sign a data processing agreement which it felt "was artificially setting up a fiction" that it is "processing data and behalf of Ex-Committee". However, he said he would agree to sign a NDA containing the following terms: i) Any data accessed by the Plaintiff will be used only for the purpose of reviewing the performance of the rental pool at The Beachcomber and making proposals to the Committee/other owners for ways in which the rental pool could be improved. ii) Any data access by the Plaintiff will be kept truly confidential and not shared with any third parties other than: a. Owners at The Beachcomber; b. The professional advisers, real estate agents, accountants, and the disclosed data signatories. The Plaintiff's attorneys, real estate agents, and the disclosed data signatories will be kept informed of any data shared with the Plaintiff.
```markdown ## 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 23 of 51 strictly confidential and not shared with any third party other than as required by law; c. as required by law.

¶ [38] This Plaintiff proposed that the NDA would be entered into pursuant to a settlement agreement which would provide that: (i) the Defendant will provide access to the requested data upon the execution of the NDA; (ii) that the Plaintiff will discontinue proceedings on the basis that the Defendant will pay the Plaintiff's costs on the standard basis; and (iii) that the agreement is entered into strictly without any waiver of the Plaintiff's right to challenge the lawfulness of the Privacy Notice, and without any waiver of his right in relation to future requests to access data to challenge the necessity for an NDA in relation to that access or alternatively the form of the NDA under.

¶ [39] The Plaintiff reiterated in the letter that the data to which access was sought was the raw documentation held by the Committee/Corporation showing the following historic data for each unit by unit number for the period of the 2017/2018, 2018/2019, 2019/2020 financial years and the current year-to-date: (i) The gross rental revenue for each rental of that unit (raw data for each individual remarry); (ii) the check-out date of that unit; (iii) the check-in date and check-out date for each rental of that unit. ```
(iv) the dates that the unit was blocked out as unavailable for rental and the reasons why (e.g. the occupation, renovations etc).

¶ [40] Mr. Montgomery feels that the access that the parties had earlier agreed would be given to Mr. Gandler, who is also a proprietor, was less limited than that being suggested should be given to him in March 2021. He highlighted that the Committee was not offering him the option of signing an NDA in the same terms as the one signed by Mr. Gandler in January 2020. He commented: "I do not understand why the ExCo has decided to discriminate against me by providing the very access that I have requested to one proprietor whilst firmly maintaining their refusal to provide access to the Plaintiff. Mr. Gandler has exactly the same status and rights as any other proprietor (including the Plaintiff). There is therefore simply no basis upon which the ExCo can suggest that it is acceptable for them to provide the data to Mr Gander, but refuse to provide the same to me."

¶ [41] The Defendant replied on 9 April 2021 and set out reasons why the settlement suggested by the Plaintiff was not acceptable. The Defendant reiterated its offer made on 8 March 2021, but added that it now be on the basis that each party bear its own costs. The Defendant added that, if the matter went for hearing, the Court would be invited to dismiss the claims for a declaration and for an injunction on the basis that they serve no purpose as the Defendant has offered the Plaintiff everything that he is entitled to receive consistent with the roof of the DPA.

¶ [42] In the same letter, the Defendant restated its belief that the Plaintiff had failed or refused to outline the purpose for which the data was to be processed. However, it is clear from
```markdown paragraph 16 of Mr. Montgomery's affidavit sworn on 11 December 2020 and his attorney's letter to the Defendant on 24 February 2021 that he had set out that the primary purpose for being able to review the material was to improve the income for all the parties from the rental pool. I also remind myself that on 8 March 2021<sup>9</sup> the Defendant acknowledges that the information is being sought by the Plaintiff: ``` for the purposes of analysing and using with a view to the Strata Corporation to effectively manage the rental pool” ``` and then went on to make suggestions about how material could be shared to enable the Plaintiff to conduct such an exercise. Despite the assertions of Elizabeth Boland<sup>10</sup> at paragraph 15 of her affidavit sworn on 27 November 2020, I reiterate that I am satisfied that the Plaintiff has outlined to the Defendant why the material was being sought and it has put that request into context since at least November 2019 when Mr. Montgomery expressed in correspondence what his concerns were with the running of the rental pool and the rents being charged and what data it wishes to extract for each unit from the material.

¶ [43] Unfortunately, due to ill-health of one of the attorneys in this matter, the hearing due to come on before Ramsay-Hale J on 11 May 2021 was vacated and relisted for 13 July 2021. It is withstood that themes on behalf of the parties have been discussed in this case. It is a great pity about those that have grave concern in this matter.

¶ [44] In this background matter there have been issues about the level of concern that have been raised in this case. It is a great pity about those that have grave concern in this matter. <sup>9</sup> See paragraph 35 above herein. <sup>10</sup> Chairwoman of the Committee since November 2020. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 25 of 51 ```
```html <table> <tr> <td>negotiations around December 2019 and then in March and April 2021 did not arrive at</td> </tr> <tr> <td>what appeared to be a reachable sensible resolution. Despite the advanced stage of</td> </tr> <tr> <td>discussions to identify a solution as outlined in the background section of this judgment,</td> </tr> <tr> <td>the parties were unable to conclusively agree to a sensible mechanism which could have</td> </tr> <tr> <td>satisfied the Plaintiffs request made with reference to the By-Laws and at the same time</td> </tr> <tr> <td>not expose the Strata and Committee to potential liability for non-compliance with the</td> </tr> <tr> <td>DPA.</td> </tr> </table>

¶ [45] The above detailed background vividly illustrates why, in cases of this nature, parties should seek to explore mediation as an alternative and cost effective means of determining the dispute between them. <h3>Submissions made and the Law</h3>

¶ [46] The submissions now relied upon by each party are on the whole similar to those included by them in the inter partes correspondence which has been shown to the Court and which I have already reviewed in some detail above. Counsel, brought together and fine-tuned those contentions in their skeleton arguments and oral submissions. <h3>The By-Laws</h3>

¶ [47] The Plaintiff argues that the issue for determination is whether the Defendant has breached/s: <i>the By-Law/or failing</i> <i>uest for access and reCo</i> <i>the Plai</i> <i>oy n/failing cor</i> <i>e to grantif</i> <i>requst to the book isonable nt</i> <i>poration</i> <i>refusing and within a timds of the c</i> <i>f's)</i> <i>refusing anwithin a</i> <i>(the Plai</i> ```
The starting point for such an argument is the relevant provisions of the By-Laws which are: **31. The Executive Committee shall:** a) keep minutes of its meetings by its elected Secretary who shall be Custodian of the Minute Book of the Corporation; b) through its Treasurer cause proper books of account to be kept in respect of all monies received and spent by the Corporation for the Corporation or the Proprietors of each Strata Lot, including occupancy statistics for each Strata Lot and prepare proper accounts relating to all monies, assets and liabilities of the Corporation and the income and expenditure and financial statements for each Annual General Meeting; c) on the application of a Proprietor or a Chargee or any person authorised in writing by either of them make the books of account or corporate minute book available for inspection at all reasonable times during normal business hours; [My emphasis] 48. a) ... b) a Proprietor may upon reasonable notice in writing being given to the Treasurer or Secretary inspect or have inspected any book or account or documents are in whatsoever held by or on behalf of the Executive Committee; [My emphasis] c) ... It is By-Law 48(b) which the Plaintiff claims the Defendant has breached, because, the access it has requested and which it feels it has a right to be given, has been denied. The Plaintiff submits that the onus is on the Defendant to establish a legal basis that enables it to refuse to comply with the requirements under this By-Law. ## The DPA

¶ [48] The Defendant submits that the legal basis for not fulfilling the Plaintiff's request arises due to the privacy gained in the led that situation men in the application of the DPA. It is contrary to the rules contained in the Cayman Islands DPA. The applicable law is the DPA. The law is clear. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 27 of 51
```html <table> <tr> <td>her Introduction in the publication “Data Protection Law 2017 Guide for Data</td> </tr> <tr> <td>Controllers”11 succinctly describes the purpose of the DPA as follows:</td> </tr> <tr> <td>“The Data Protection Law, 2017 (the “DPL”) is a powerful piece of legislation. It</td> </tr> <tr> <td>introduces globally recognized principles about the use of personal data to the</td> </tr> <tr> <td>Cayman Islands. The DPL aligns the Cayman Islands with other major</td> </tr> <tr> <td>jurisdictions around the world, notably the European Union, and thereby</td> </tr> <tr> <td>facilitates the free flow of data - a pre-requisite for the Cayman Islands being an</td> </tr> <tr> <td>equal and competitive participant in today’s globalized economy.</td> </tr> <tr> <td>Moreover, the DPL provides a standard framework for both public and private</td> </tr> <tr> <td>entities in the management of the personal data they use. Internationally active</td> </tr> <tr> <td>organizations will find many similarities between the data protection law of the</td> </tr> <tr> <td>Cayman Islands and of other jurisdictions where they are active. The DPL aims</td> </tr> <tr> <td>to reduce the administrative burden of operating internationally and cement the</td> </tr> <tr> <td>Cayman Islands as an attractive jurisdiction in line with international</td> </tr> <tr> <td>developments.”</td> </tr> </table>

¶ [49] With this in mind, the Office of the Ombudsman understandably states that her approach to data protection is a practical one, recognising and respecting the fundamental right to privacy whilst at the same time understanding fair and lawful processing of personal data is essential to the modern service economy.

¶ [50] The DPA is legislation about the privacy of all individuals and it describes how any personal data is to be processed by “data controllers”. These are persons, who alone or jointly with others determine the purposes, conditions and manner in which any personal ```
```markdown data are, or are to be, processed. In this matter the Committee is a data controller.12 Section 2 of the DPA defines “personal data” as follows: “Personal data” means data relating to a living individual who can be identified and includes data such as a) the living individual’s location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual; b) an expression of opinion about the living individual; or c) any indication of the intentions of the data controller or any other person in respect of the living individual.” Examples of some of the types of personal information that strata corporations manage include: (i) name, address and phone number; (ii) banking or credit card information; (iii) emergency contact information; (iv) owner/tenant’s insurance particulars; (v) names of family members living with the borrower or occupying the strata lot; and (vi) debts owed to the strata Corporation by an owner.

¶ [51] The Defendant rightly contends that the information sought by the Plaintiff is or includes personal data as relates to revenue and occupancy data of units other than his own in a form that could be used to identify the specific individual units and individuals. Elizabeth Boland at paragraph 12 in her affidavit sworn on 27 November 2020 stated: "If the ExCo calls from the unit number, it is not possible to determine the identity of the owner or the tenant, unless mechanisms are put in place to protect the data." 12 Section 2 DPA - Interpretation section. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 29 of 51 ```
```html <table> <tr> <td>provided by ExCo, the data would include rental sums charged by individual units, annual rental yields for individual units, rental voids of the individual units (this information, if there was a pattern of voids, would potentially be a security risk to an owner if a unit is known to be unoccupied) and the names, addresses and contact details from renters of those individual units. In addition, the ExCo had a concern that the Plaintiff intended to share the requested data with a third party.... The ExCo considered that sharing data with third parties might give rise to particular legal issues."</td> </tr> </table>

¶ [52] On the other hand, the Plaintiff submits that the data which it has requested is "unlikely" to amount to personal data as defined in the DPA, because since 22 November 201913 it earlier had made clear what data it wishes to extract for each unit over a two year period and that it does not seek the disclosure of names of the owners of each unit, the names of parties renting each unit or the contact details of any of those parties. The Plaintiff also claims that if the information does include personal data, that such information could be provided, subject to suitable redaction. The Plaintiff fails to recognise that even if the disclosure does not specifically provide that detail, it will easily be ascertained from the wider information. If the Committee were to provide the information sought by the Plaintiff, it would be processing some personal data.

¶ [53] When applying s.5(4) of the DPA, unless a statutory exemption provided for in Part 4 DPA applies, the Committee, in its capacity as the data controller, when processing personalomply with the data protection principles which are set out in Part 1 of Schedule 1 to the DPA must ensure that the data processed is necessary for the purposes which are set out in Part 1 to the DPA. 13 Letter 22 November 2019 sent by Plaintiff's attorney to the Defendant's attorney, in which also states Plaintiff was prepared to instruct an accountant to extract the relevant data from the V12 system if there is an objection to direct personal access to the system.

¶ [54] The Plaintiff contends that if the DPA is engaged then some of the exemptions found in s.25 DPA apply and in addition there are: “clear routes under the DPA that allow the Defendant to comply with the By-Laws”. The Defendant submits that there is no applicable exemption and therefore the Committee is to have regard to the DPA and comply with the data protection principles when dealing with the Plaintiff’s request. The Defendant contends that the effect of this requirement means that the Committee is not able to simply grant the “unfettered access” demanded by the Plaintiff. Ms. Boland makes clear in her evidence that, if the request was to be actioned, the personal data would have to be processed in a data protection principles compliant manner.

¶ [55] The relevant parts of s.25 of the DPA provide: (1) Personal data are exempt from the non-disclosure provisions if the disclosure is required by or under any enactment, by any law or by the order of a court. (2) Personal data are exempt from the non-disclosure provisions if their disclosure is necessary – (a) for the purpose of, in connection with, or in contemplation of, any quasi-judicial or legal proceedings; (b) for the purpose of obtaining legal advice; or (c) otherwise for the purposes of establishing, exercising or defending a legal right.” The Plaintiff, pursuing the DPA, claims that, pursuant to s.25(1) of the DPA, the personal data is exempt from the provisions of the STRA due to a statutory contract created under the STRA incorporating the terms of the By-Laws. The second
```markdown exemption claimed is pursuant to s.25(2) of the DPA, because it is contended that disclosure is for the purpose of exercising a legal right.

¶ [57] In relation to the by-law exemption claimed one needs to look at how by-laws operate and the obligation imposed by s.21(7) of the STRA. The By-Laws operate as an agreement between the Strata and proprietors and are binding on them. There are some legal differences between this kind of contract and a standard contract, including how they are enforced and what remedies are available.

¶ [58] Section 25(1) of the DPA makes no mention of obligations that arise under a contract. That is likely why the Plaintiff comes from a different angle arguing that it is a statutory contract created under the STRA and because By-Law 48(b) provides that an opportunity to inspect must be given if requested in the correct manner by a proprietor then that is a requirement under an enactment.

¶ [59] Section 21(7) of the STRA provides that: ``` Bye-laws for the time being in force shall bind every corporation and the proprietors to the same extent as if such bye-laws had respectively been signed and sealed by such corporation and each proprietor and contained covenants on the part of such corporation with each proprietor and on the part of each proprietor with every other proprietor and with such corporation to observe and perform all the bye-laws. ``` In some cases there is a question, even if the legislation commonly contains a similar provision to By-Law 48, requiring a strata corporation to retain certain records and to make those records available for inspection by others with ```
```html <table> <tr> <td>standing (for example, proprietors).14 In such circumstances, especially if there is no</td> </tr> <tr> <td>overriding provision in the data protection legislation indicating that the privacy law</td> </tr> <tr> <td>would prevail unless the other enactment expressly provided that the other enactment</td> </tr> <tr> <td>would apply despite the privacy law, one can see why Courts might find that the privacy</td> </tr> <tr> <td>law did not supersede the law which required access to be be given to the records by the</td> </tr> <tr> <td>proprietors. The STRA does not contain any similar provision requiring fulfillment of a</td> </tr> <tr> <td>request for inspection and disclosure if one is made and the requirement that exists is a</td> </tr> <tr> <td>contractual one under the By-Laws and not under an enactment, law or court order. I find</td> </tr> <tr> <td>that the s.25(1) of the STRA exemption does not apply in this matter.</td> </tr> </table>

¶ [61] In relation to the exemption claimed pursuant to s.25(2), namely that the disclosure is for the purpose of exercising a legal right, I am unable to deduce for which relevant right the Plaintiff argues the disclosure is necessary to establish, exercise or defend it.

¶ [62] By-Law 34 requires the Committee to employ a manager and part of that person's duties is to enforce compliance with the By-Laws. This By-Law also provides that all enquiries relating to the accounts and budgets of The Beachcomber made by a proprietor (which do not solely relate to his strata lot he does not own) shall be directed through the Committee. However, the By-Laws do not entitle the Committee to apply and seek to enforce the By-Laws in manner that is inconsistent with the DPA and they do not permit a proprietor to have access to books and accounts in a manner inconsistent with the DPA. <sup>14</sup>For example the Strata Property Act (1998) in British Columbia Canada or the Strata Schemes Management Act (1996) in New South Wales, Australia which also includes a section similar to s.21(7) STRA 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 33 of 51 ```
The Data Protection Principles

¶ [63] In light of the above and having found that the claimed exemptions do not apply, I must now turn to the data protection principles. These are strict rules which a data controller must comply with and they relate to the personal data and the data control processes.15 The Corporation is the data controller as it alone or jointly with others determines the purposes conditions and manner in which any personal data are, or are to be, processed.16 This means that the Committee shall interpret and comply with the data protection principles.

¶ [64] The Defendant rightly submits that the provision of documents pursuant to the Plaintiff's request and the manner in which it seeks to use the material amounts to the processing of data. The Committee would need to locate the data and then disclose it to the Plaintiff. The Defendant has to comply with all of the data protection principles that relate to the personal data it is processing. It is understandable that the Defendant would have concerns if there was any third party involvement sought by the Plaintiff, especially by a realtor17, and seek details about (i) the identity of the third party, (ii) the purposes for which a third party would access the data and (iii) details about the measures which would be put in place with the third party to protect the data.

¶ [65] There are eight data protection principles and they are set out in Part 1 of Schedule 1 to the DPAR, the data controller must:

¶ [1] Process personal data fairly, lawfully and transparently;

¶ [2] Collect personal data for specified, explicit and legitimate purposes and not further process them in a manner incompatible with those purposes;

¶ [3] Keep personal data accurate and up to date;

¶ [4] Keep personal data for no longer than is necessary for the purposes for which they are processed;

¶ [5] Ensure that personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures;

¶ [6] Allow data subjects to request access to their personal data and to request that the data controller correct, block or erase personal data in certain circumstances;

¶ [7] Provide a means for data subjects to request that the data controller restrict or object to the processing of their personal data;

¶ [8] Provide a means for data subjects to receive their personal data from the data controller and to transmit that data to another data controller, in a structured, commonly used and machine-readable format. 15 Section 5(4) of the DPA. 16 Section 2 0 of the DPA - Interpretation section. 17 As mentioned in the Plaintiff's attorneys' letter of 6 April 2021. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 34 of 51
(ii) used for specified, explicit purposes; (iii) used in a way that is adequate, relevant and limited to only what is necessary; (iv) accurate and, where necessary, kept up to date; (v) kept for no longer than is necessary; and (vi) handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage. These data protection principles fall to be interpreted in accordance with Part 2 of Schedule 1 of the DPA.

¶ [66] In the matter before me, the data protection principles which the Court is invited to specifically concentrate on are the first, second, sixth and seventh principles. I will set out the relevant parts of Schedule 1 Part 1 before going on to deal with each one separately: **First principle**

¶ [1] Personal data shall be processed fairly. In addition, personal data may be processed only if— (a) in every case, at least one of the conditions set out in paragraphs 1 to 6 of Schedule 2 is met; and (b) ... **Second principle**

¶ [2] Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. **Sixth principle**

¶ [6] Personal data shall be processed in accordance with the rights of data subjects under this Act. **Seventh principle**

¶ [7] Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. ---

¶ [67] The first data protection principle has two separate requirements. The first is that the data must be processed fairly and then it may only be processed if at least one of the above conditions set out in Schedule 2 to the DPA is made out. Both of these requirements must be met. ---

¶ [68] In relation to the first requirement, Part 2 of Schedule 1 of the DPA sets out how to determine whether personal data is processed fairly. The relevant section of Part 2 of Schedule 1 provides that: **“First principle: source**

¶ [1] (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to — (a) the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed; and (b) whether the information contained in the personal data has previously been made public as a result of steps deliberately taken by the data subject. (2) Subject h 2, for the purposes of the first principle, they are considered to be obtained as if they were obtained by the person from whom they are obtained as a result of steps deliberately taken by the person under an enactment or by a convention or other instrument imposing an international obligation on the Islands. --- **211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment** Page 36 of 51
```markdown # First Principle: Specified Information at Relevant Time

¶ [2] For the purposes of the first principle personal data shall not be treated as processed fairly unless the data subject has, as soon as reasonably practicable, been provided with, at a minimum— (a) the identity of the data controller; and (b) the purpose for which the data are to be processed." ## First Principle – Processed Fairly

¶ [69] The processing of personal data must always be conducted in a way that is fair and not in breach of any other laws. If any aspect of the processing is unfair, the data controller will be in breach of this principle – even if it can show that it had a lawful basis for the processing. In general, fairness means that one should only handle personal data in ways that persons would reasonably expect and not use it in ways that have unjustified adverse effects on them. The data controller needs to consider how it can use personal data and also whether it should. Assessing whether one is processing information fairly depends partly on how it was obtained. In particular, if anyone was deceived or misled when the personal data was obtained, then this is unlikely to be fair. One has to be clear, open and honest with people from the start about how you will use their personal data. In order to assess whether personal data is being processed fairly, one must consider more generally how it affects the interests of the people concerned - as a group and individually. Personal data may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justified. There are no issues about the manner in which the data was obtained.

¶ [70] For the data to be deemed to be processed fairly, the data subject must be told about the identity of the data controller (the Committee) and the purpose for which the data are to be processed. ```
```html <table> <tr> <td>be processed. In the present matter, the data subjects have been made aware from the questionnaire, what was said at the AGMs/EGM and correspondence that the Committee is the data controller. Although the Defendant contends that the purpose for processing data had not been initially disclosed to them, they accept that, by reference to the Plaintiff's letter a letter dated 24 February 2021, that the purpose was to analyse the data to more effectively manage the rental pool. Although the evidence shows that the Plaintiff had explained the purpose, even on the Defendant's disclosed understanding, that purpose is now known by the Defendant and by the other proprietors. The purpose is to try to improve the running of the rental pool for owners whose units are in the pool and this would benefit all proprietors, as any improvements would likely raise the profile of The Beachcomber and have a positive effect on the value of all units. This purpose is consistent with the expectations of the proprietors who would have known that they had provided that information partly to enable the Corporation to manage and administer the rental pool efficiently. I am satisfied that the fairness requirement is met.</td> </tr> </table>

¶ [71] In relation to the second requirement in the first protection principle, the Committee, as the data controller, must identify valid grounds under the DPA for handling/processing personal data. Schedule 2 to the DPA sets out the conditions or legal bases on which personal data may be processed. The main legal bases are summarised below: (a) Consent - the individual has given clear consent (b) Co processing: performanc e necessary for performance of a contract with the data subject or a contract to which the data subject is a party or a contract with a legal obligation - the processing is necessary for the performance of the contract or for compliance with a legal obligation (this does not include contractual obligations); (c) Legal obligation - the processing is necessary for compliance with a law (this does not include contractual obligations); ```
```markdown (d) Vital interests - the processing is necessary to protect the vital interests of the data subject; (e) Public functions - the processing is necessary to perform a public function, e.g. the administration of justice; and (f) Legitimate interests - processing is necessary for legitimate interests pursued by a data controller or a third party. ## Consent Condition

¶ [72] In relation to the data subject consent condition, the *Cayman Ombudman’s Guide*<sup>18</sup>, which is a useful but not binding source of reference, contains the following helpful *“at a glance”* guidance at page 89 about what is required for consent: - The DPL sets a high standard for consent. However, consent will not always be the appropriate legal basis. - Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. - If you rely on consent, check your business processes that involve collecting consent and your existing consents. Refresh your consents if they don’t meet the DPL standard. - Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. - Explicit consent requires a very clear and specific statement of consent. - Keep your consent requests separate and distinguishable from other terms and conditions. - Be specific so that vague or broad consent is not easily given or withdrawn. <sup>18</sup> Data Protection Law 2017 Guide for Data Controllers (January 2018). ``` This transcription accurately reflects the content of the provided image, using Markdown for headings and paragraph structure, HTML for tables (if any were present, which they are not), and LaTeX for math (which is not present).
```html <table> <tr> <td>73.</td> <td>As already highlighted, the Plaintiff contends that the proprietors have consented to the processing of the data which is of the type covered in By-Law 48(b), because when they purchased their strata lot they agreed to be bound by the By-Laws. Therefore, they submit, that even if the data was personal data, the conditions at Schedule 2 Paragraph 1 of the DPA are satisfied.</td> </tr> <tr> <td>74.</td> <td>The Defendant disagrees, highlighting that the By-Laws were drawn up prior to the DPA being enacted and therefore the provisions cannot reflect any of the requirements and restrictions set out under the DPA. With reference to the Ombudsman’s guidance, the Defendant also rightly contends that the DPA requires a positive opt in, that clear and specific statements of consent are provided and that separate consent is required for separate things. The By-Laws relied on do not cover these requirements. Although it may be argued that by agreeing to be bound by the By-Laws, one is exercising a choice and control, a clearer choice is being expressed by the more informed and data specific expressions of consent or non-consent given in the answers to the survey. I am satisfied that the data controller can process the data for the specific units of proprietors who gave their consent for the Committee to do that by their answer in the survey, but not under the First Principle relying on the consent condition for those who said that they did not. It cannot be latter gro</td> </tr> </table> ```
Processing Necessary for the Performance of a Contract Condition

¶ [75] I now move on to the second condition for processing of personal data when considering the first principle. This is the condition where the processing is necessary for the performing of a contract, specifically By-Law 48 which states that each proprietor may inspect the book or accounts or documents whatsoever held by the Committee. The Plaintiff contends that the processing is necessary for the performance of the obligations under the By-Laws which “are deemed to form a statutory contract” which the data subject proprietors are all parties to.

¶ [76] The Defendant contends that this condition does not apply as the processing is not “necessary” for the performance of that contract. It is argued that the contract in the By-Laws can be achieved by “less privacy intrusive means” which does not include the Plaintiff sharing the data with third parties who are not parties to the By-Laws. Condition 3 (the processing under legal obligation condition), makes it clear that the condition is not met by contending that the processing is required to comply with a contractual obligation.

¶ [77] Presumably, apart from the submission that the Plaintiff would be processing data on behalf of the Defendant, it appears that the Defendant also had the second and third condition in mind when it suggested on 8 March 2021 that the personal data highlighted in the Plaintiff’s letter of 22 February 2021 could be processed and provided to the Defendant. The Defendant set out a Processing Agreement in the draft Data Protection Agreement. That said, the Defendant also sought the disclosure of the original documents to enable the Defendant to perform the contract whilst at the same time complying with the Plaintiff’s obligation to process the data. 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 41 of 51
```html <table> <tr> <td>data appropriately. I am satisfied that condition 2, processing is necessary for a contract is</td> </tr> <tr> <td>met in the above circumstances.</td> </tr> </table> <h3>Processing under a Legal Obligation Condition</h3> <p>78. The Plaintiff contends that an alternative to the contract condition 2, the obligation is</p> <p>imposed by statute under the STRA and it therefore can be regarded a legal obligation</p> <p>other than pursuant to contract. However, I am not satisfied that this is correct, as the</p> <p>contract in the Articles in the By-Laws still falls under the word contract in condition 3.</p> <p>Condition 3 only applies if the data is needed to comply with a common law statutory</p> <p>obligation and that it does not apply to contractual obligations.</p> <h3>Processing for Legitimate Interests Condition</h3> <p>79. This condition states:</p> <blockquote> <p>"The processing is necessary for the purposes of legitimate interests pursued by</p> <p>the data controller or by the third party or parties to whom the data is disclosed,</p> <p>except is the processing is unwarranted in any particular case by reason of</p> <p>prejudice to the rights and freedoms or legitimate interests of the data subject."</p> </blockquote> <p>80. The Plaintiff in the letter from its attorney dated 24 February 2021 contended that there</p> <p>was a legitimate interest, stating:</p> <blockquote> <p>"The disclosure of the data is clearly necessary for the purposes of the legitimate</p> <p>interests of our client in relation to its substantial investment in a strata lot of the</p> <p>Beas a member. Compan</p> <p>hchomber, the ?alll'U8P8fnd and manf</p> <p>chomber. Ar of the &amp; direct and</p> <p>Beansluding the runningaggentalP8at the</p> <p>significant final st in Rhat of theLven that all</p> <p>proprietors share this legitimate interest and are similarly entitled to access the</p> </blockquote> ```
```html <table> <tr> <td>Strata Corporation's books and records, there cannot be said to be any prejudice</td> </tr> <tr> <td>to those other proprietors."</td> </tr> </table>

¶ [81] The processing of data can sometimes be justified due to the legitimate interest of the data controller or a third party. The use of legitimate interest as a basis for processing requires careful consideration of the data subject proprietor's rights and interests. For an interest to be considered legitimate it requires the interest (i) to be a legal one and (ii) to be stated with sufficient clarity so that the data subject's rights and interests can be assessed. However, since the enactment of the DPA this does not mean that, in the absence of consent, the access given to a requesting individual is unfettered access to someone else's personal information. The Committee may disclose personal information to someone else if it fulfills the same purposes that it relied upon when collecting it and those purposes would be considered appropriate by a reasonable person. The Committee must also ensure that it discloses only the appropriate amount of personal information necessary to carry out those purposes in a manner consistent with the principle in Schedule 1 to the DPA.

¶ [82] Whether an interest can be considered legitimate can be determined by carrying out a balancing exercise. The data controller must perform this exercise to carefully evaluate, whether or not it may use legitimate interests as a basis for the processing of personal data. The data controller must also consider whether the requested processing of the personalessary for perests, in other words w result ced through asive of of the data is necursuing the s hether the s should be achieve means tiny intame subjects.

¶ [83] As a part of the evaluation, the data controller should consider: (i) what the nature is of it and any third parties interests; (ii) what benefit the processing of personal data would provide; and (iii) what detriment would ensue from not processing the personal data. Although the Plaintiff's property was not one placed in the rental pool, he has an interest in the strata generally being properly managed. If the rental pool is being managed properly, this is a positive factor for all properties whether or not their property is in the rental pool, as it will raise the reputation of The Beachcomber and also likely the value of each of the units. Although it may be argued that the Plaintiff is not directly responsible for managing the rental pool or the strata, it is clear that the purpose of By-Law 48 is to give each strata owner the right to request access to their own personal information being held by the Defendant as well as access to more general information held there to be some monitoring of how the Plaintiff is performing its duties. The detriment of not processing this type of request is that it lessens the transparency in the managing of the Corporation and may detrimentally effect an individual proprietor's ability to oversee/review the running of and management of the Corporation.

¶ [84] As a part of the balancing exercise, the data controller must also consider the effects on the data subject. This includes factors such as: (i) the nature of the personal data involved; (ii) the nature of the personal data involved; (iii) the nature of the personal data involved. The data requested could enable the Plaintiff and third parties to directly or by indirect deduction obtain personal information, including financial, of other proprietors. This is 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 44 of 51
```html <table> <tr> <td>relevant as the majority of the proprietors who replied to the survey, having been</td> </tr> <tr> <td>informed about the DPA in the survey letter and having been sent Mr Montgomery’s</td> </tr> <tr> <td>email in which he expressed his view that the By-Laws bound the proprietors to the</td> </tr> <tr> <td>extent that the DPA did not apply to the Plaintiff’s request, have not consented to their</td> </tr> <tr> <td>personal data being shared with other proprietors.</td> </tr> </table>

¶ [85] When considering the data subject proprietors, if there are further reasonable measures that can be taken concerning the maintenance and security of the data, then that may influence the final determination of the balancing exercise. This is of particular importance in the current matter as the Plaintiff wishes to be able to provide the data to third parties. This is where: (i) the discussions held during the January 2021 EGM about an NDA; (ii) the adoption of the Committee of the Privacy Notice and Data Processing Agreement with the Plaintiff proposal made by the Defendant in its attorneys’ letter of 8 March 2021; and (iii) the NDA proposal made by the Plaintiff in its attorneys’ letter of 6 April 2021 come to the fore.

¶ [86] The proposed Privacy Notice would enable the Committee to process personal data and release the same for the purpose stated to the Plaintiff. These proceedings aside, the creation notice (or similar and its provision to all proprietors of such a document) would arguably override the circulation of a privacy policy by the Corporation, when it was known that the DPA was going to be enacted. However, although the Notice provides that the Committee may ask others to ```
```html <table> <tr> <td>process personal data for it, this is not a matter in which the Plaintiff agrees that the</td> </tr> <tr> <td>Committee should regard it as processing data on behalf of the Committee, as it is in fact</td> </tr> <tr> <td>asking for access in its own capacity.</td> </tr> </table>

¶ [87] Although not finding that the draft Data Processing Agreement is required, I accept that it sets out what the purpose of the data processing is and I am satisfied that it would put in place an effective mechanism for decreasing any possible adverse effect on the other proprietors and improves the protection of their privacy. However, the reason why the Data Processing Agreement rather than the NDA discussed at the EGM is felt to be necessary is actually because the Defendant contends that the Plaintiff would be a data processor, namely a person processing personal data on behalf of the Committee. I do not accept that the processing of data would be on behalf of the Committee, although the outcome of the analysis of the data by the Plaintiff may later assist the Committee concerning the efficient running of the rental pool. A granting of the request for access is not in reality the Defendant processing or having the Plaintiff process the data to perform its rental pool management obligations, it is the Plaintiff seeking to exercise, if it had not been for the DPA, a right to have reasonable access to enable it to review the management of the Committee of the rental pool, in an informed manner.

¶ [88] The Plaintiff contends that this Agreement is not required and that, as discussed at the EGM an for Mr. Ganpriately wol for Mr. Gondall 19 an appropriate loe in led NDA would have 2021 the an app anseint the an NDAPlated 6 Ap Pl a as an anemier an aapoue ensure w the letteril be willin pr that priate mecht in alonely s et out the wording of an NDA when the Pl which the uld 2021 the e sign. 19 See paragraph 29 above. ```
The proposed NDA sets out the purpose of the access to the data and a provision that will be kept strictly confidential and not shared with any third person save for other owners and the Plaintiff's lawyers, accountant, and real estate professionals. If it is shared with these professionals, then they would have to in turn sign an NDA confirming that the data will remain strictly confidential and not shared with any third party other than as required by law. If the intention is to have access to the raw data at The Beachcomber’s offices, then this NDA would put in place a reasonable mechanism to protect the privacy of the owners.

¶ [89] Having conducted the balancing exercise, I am satisfied that condition 6, processing for legitimate interests is met in the above circumstances.

¶ [90] I will now turn to the other principles which I have been referred to by the parties and which must be complied with. In relation to the second data protection principle, the purpose limitation principle: This principle stipulates that personal data, which is collected for a specific, previously stated and understood purpose, must not then be used for other applications. The principle limits the extent to which organisations can ‘multi-purpose’ personal data. The personal data can only be used for a new purpose if it is compatible with the original purpose, consent of the data subject is obtained or there is a clear basis in law for using it. The Defendant contends that the Plaintiff’s “Refusal to disclose the purpose for which he wished to process the data” made it impossible for the Committee to propose the second principle. Again, I am of the opinion that the Committee was provided with the purpose by the Plaintiff on 22 November 2019 when that is put in context with what was said at the Annual General Meeting. The data was obtained by the Committee to enable it to control, manage and
```markdown ## 91. The sixth data protection principle is the rights principle. The DPA provides specific rights to data subjects, including the right to certain information from a Data Controller and the right to access Personal Data held by a Data Controller. The purpose of this principle is to ensure that the processing of data is consistent with the rights of data subjects under the DPA. The Defendant contends that the right of a data subject to cease or restrict processing pursuant to s.10 of the DPA should be considered in the circumstances of the Plaintiff's request. A data subject has the right to withdraw that consent<sup>21</sup> at any time. It is contended that, even if it could be argued that the proprietors have by expressly agreeing to be bound by the By-Laws, which includes the By-Law 48(b) inspection provision, already consented to the inspection by another proprietor of documents whatsoever held by the Committee, that any such consent no longer exists. This is contended due to the result of the survey of owners which resulted in twenty seven owners communicating their objection to their personal data being shared with another proprietor. At this stage, I find that the access to the raw data if it occurs at The Beachcomber’s Offices, with appropriate restrictions and protections as set out in the NDA pre-plaintiff, would be consistent with the rights of the data subjects under the DPA (sixth principle). <sup>20</sup> By-Law 44. <sup>21</sup> Schedule 5 Condition of Consent Paragraph 3. ``` ```html <table> <tr> <td>91.</td> <td>The sixth data protection principle is the rights principle.</td> </tr> <tr> <td>The DPA provides specific rights to data subjects, including the right to certain information from a Data Controller and the right to access Personal Data held by a Data Controller. The purpose of this principle is to ensure that the processing of data is consistent with the rights of data subjects under the DPA. The Defendant contends that the right of a data subject to cease or restrict processing pursuant to s.10 of the DPA should be considered in the circumstances of the Plaintiff's request. A data subject has the right to withdraw that consent<sup>21</sup> at any time. It is contended that, even if it could be argued that the proprietors have by expressly agreeing to be bound by the By-Laws, which includes the By-Law 48(b) inspection provision, already consented to the inspection by another proprietor of documents whatsoever held by the Committee, that any such consent no longer exists. This is contended due to the result of the survey of owners which resulted in twenty seven owners communicating their objection to their personal data being shared with another proprietor. At this stage, I find that the access to the raw data if it occurs at The Beachcomber’s Offices, with appropriate restrictions and protections as set out in the NDA pre-plaintiff, would be consistent with the rights of the data subjects under the DPA (sixth principle).</td> </tr> <tr> <td><sup>20</sup> By-Law 44.</td> </tr> <tr> <td><sup>21</sup> Schedule 5 Condition of Consent Paragraph 3.</td> </tr> </table> ``` ```latex \section{91. The sixth data protection principle is the rights principle.} The DPA provides specific rights to data subjects, including the right to certain information from a Data Controller and the right to access Personal Data held by a Data Controller. The purpose of this principle is to ensure that the processing of data is consistent with the rights of data subjects under the DPA. The Defendant contends that the right of a data subject to cease or restrict processing pursuant to s.10 of the DPA should be considered in the circumstances of the Plaintiff's request. A data subject has the right to withdraw that consent\footnote{Schedule 5 Condition of Consent Paragraph 3.} at any time. It is contended that, even if it could be argued that the proprietors have by expressly agreeing to be bound by the By-Laws, which includes the By-Law 48(b) inspection provision, already consented to the inspection by another proprietor of documents whatsoever held by the Committee, that any such consent no longer exists. This is contended due to the result of the survey of owners which resulted in twenty seven owners communicating their objection to their personal data being shared with another proprietor. At this stage, I find that the access to the raw data if it occurs at The Beachcomber’s Offices, with appropriate restrictions and protections as set out in the NDA pre-plaintiff, would be consistent with the rights of the data subjects under the DPA (sixth principle). \footnote{By-Law 44.}

¶ [92] The seventh data protection principle is the security measures principle and requires that appropriate technical and organisational measures be taken in relation to personal data. At this stage, I find that the access to the raw data if it occurs at The Beachcomber’s Office, with appropriate restrictions and protections as set out in the NDA proposed by the Plaintiff would be consistent with the rights of the data subjects under the DPA (sixth data principle) as well as the security measures principle. ### Conclusions

¶ [93] Turning to the relief sought in the Originating Summons, in relation to the declaratory relief, having regard to my finding that By-Law 48(b) is subject to the DPA considerations, I do not make any of the declarations sought.

¶ [94] In relation to the injunctive relief sought, I am satisfied for the reasons set out above that the Data Protection Principles can be complied with if the data is processed by the Defendant and the more focused access is granted to the Plaintiff. In relation to the First Principle, I am satisfied that with the appropriate mechanism in place the personal details will be processed fairly and that the processing for legitimate interests and necessary contract conditions are met.

¶ [95] Accordingly, subject to the NDA condition below, I make an injunction requiring the Defendant Plaintiff to have inspected at The Beachcomber’s Office and to grant access to inspect the following: ```
(i) the raw documentation held by the Committee/Corporation showing the historic data for each Unit by unit number for the period of the 2017/2018, 2018/2019, 2019/2020 financial years and the current year to date; (ii) the management fee deducted for each rental of that Unit; (iii) the check in date and check out date for each rental of that Unit; and (iv) the dates the Unit was blocked out as unavailable for rental and the reason why.

¶ [96] This injunction is conditional upon an NDA being entered into between Mr. Montgomery and the Defendant and which covers all activities involved in Mr. Montgomery accessing the abovementioned information. The data accessed should only be used by Mr. Montgomery and any permitted third party for the purposes of reviewing the performance of the rental pool at The Beachcomber and for making proposals to the Committee and to other owners for ways in which the operation of the rental pool could be improved. Mr. Montgomery should maintain the confidentiality of rental and revenue data for specific units and condominium ownership. Any data discussed or presented should be in a format that does not reveal specific unit numbers or owners names. Any data accessed by Mr. Montgomery should be kept strictly confidential and not shared with other parties other than owners at The Beachcomber and the attorneys and accountants, who will before the disclosure of any data sign an appropriately worded NDA confirming that the data will be kept strictly confidential and not shared with any third party other than as required by law. If f's intentionthe data accessed with professional parties should not be real estate(s) the Plaintiff is to share any real estate professionals, then they should first request that it may be shown to and that professional must also enter into an appropriately worded NDA. After the review has been concluded by the Plaintiff, if any raw data has been removed, 211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment Page 50 of 51
```html <table> <tr> <td>then the raw data will be returned to The Beachcomber offices. The wording of all of the</td> </tr> <tr> <td>aforementioned NDAs is to be perfected by the parties and the Court's above indications</td> </tr> <tr> <td>should greatly assist in that regard.</td> </tr> </table> <h3>Costs</h3> <p>97. Neither party in this matter can claim to have been fully successful, with findings being</p> <p>made in favour of each of them on different issues raised. This is not a matter, on the</p> <p>written evidence before me, in which I find that the Defendant has been obstructive and</p> <p>refused access for improper reasons. I am satisfied that the Defendant's position has been</p> <p>motivated by a concern that to voluntarily grant the initially unfettered access requested</p> <p>and the access set out in the Originating Summons might have put it in breach of the</p> <p>provisions of the DPA, and not by some improper motive. In fact, I am cognisant that the</p> <p>Defendant has been constructive in suggesting ways forward in a DPA compliant</p> <p>manner, as has the Plaintiff. It is, as I have already remarked, most regrettable that the</p> <p>earlier discussions did not end up being fruitful, especially as far back as late 2019/early</p> <p>2020. If either party wishes to be heard on the issue of costs, then they should make the</p> <p>application in the normal way by Summons.</p> <table> <tr> <td>211125 RB440 Properties Ltd vs The Proprietors, Strata Plan No. 22 - Judgment</td> </tr> <tr> <td>Page 51 of 51</td> </tr> </table>